Marriott fined £99m for 2018 data breach
ICO says the hotel chain 'failed to undertake due dilligence' in Starwood acquisition
The Information Commissioner's Office (ICO) has said it will fine Marriott International over 99 million following a breach of its systems that led to the exposure of approximately 339 million guest records.
The hotel chain revealed in November that an unknown third-party had gained unauthorised access to its Starwood guest reservation system by exploiting an unpatched vulnerability dating back to 2014.
Of the 339 million records accessed, it's thought around 30 million were related to residents of 31 countries in the European Economic Area, including seven million belonging to UK citizens.
Following an investigation by the ICO, it was found that Marriott, which bought the Starwood brand in 2016, "failed to undertake sufficient due diligence" during the acquisition and missed the vulnerability as a result. The hotel chain has now been fined 99,200,396 for infringements of GDPR.
"The GDPR makes it clear that organisations must be accountable for the personal data they hold," said Information Commissioner Elizabeth Denham. "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
"Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."
Despite the large fine, the ICO said the Marriott has co-operated with its investigation and has made improvements to its security arrangements since the breach came to light. The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction.
It's been a busy week for the UK's data watchdog after announced its intent on Monday to fine British Airways for a similar data breach in September 2018. On that occasion, the penalty was a record-breaking 183 million after hackers compromised the personal data of half a million customers.